| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
This includes a test where the server response includes multiple handhshake
messages in the single TLS plaintext record (which would have caught the
bug just fixed in tls13_legacy.c).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When switching to the legacy TLS stack we previously copied any remaining
handshake messages into the receive buffer, but do not include any TLS
record header (largely due to the fact that we've already processed part
of the TLS record that we actually received - that part is placed into the
init_buf). This worked fine with the old record layer implementation,
however the new record layer expects to find the TLS record header.
This means that if we switch from the new stack to the legacy stack (i.e.
the remote side does not support TLSv1.3) and there is more than one
handshake message in the TLS plaintext record (which Microsoft's TLS
stack is known to do), we now read a TLS record of zero bytes instead of
getting the correct length.
Fix this by generating a pseudo-TLS record header when switching from the
new TLS stack to the legacy stack.
Found the hard way by guenther@.
Thanks to tb@ for coming up with a reproducible test case and doing much
of the debugging.
ok inoguchi@ tb@
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
The d1_{clnt,srvr}.c contain a single function each - merge these into the
ssl_{clnt,srvr}.c, renaming them with an ssl3_ prefix for consistency.
ok beck@ tb@
|
| |
|
|
|
|
|
|
| |
DTLSv1 is TLSv1.1 over datagrams - there is no need for a separate
SSL3_ENC_METHOD struct, just use TLSv1_1_enc_data and remove
DTLSv1_enc_data entirely.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This is the next step in replacing the TLSv1.2 record layer.
The existing record handling code does decryption and processing in
place, which is not ideal for various reasons, however it is retained
for now as other code depends on this behaviour. Additionally, CBC
requires special handling to avoid timing oracles - for now the
existing timing safe code is largely retained.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
| |
This avoids naming confusion with an upcoming TLSv1.2 record layer change
and is more descriptive of this function.
Requested by tb@
|
| |
|
|
|
|
| |
This removes the need for extra variables and casts.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
This improves readability - while here also add a missing return value
check (although it cannot currently fail).
ok inoguchi@ tb@
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On OpenBSD it's necessary to use the eopenssl11 s_server with either -4
or -6 to choose an address family. I often want to try something with an
OpenSSL server and then test the same thing with LibreSSL or vice versa.
Adding and removing -4s on top of editing the command is annoying and
distracting.
This commits teaches our s_server to ignore -4 and -6 and thus makes
commands that work with eopenssl11 more likely to work with openssl(1).
These options are deliberately undocumented and don't show up in help
listings.
ok bcook inoguchi jsing
|
| |
|
|
|
|
| |
using the make variable EOPENSSL11.
Suggested by jsing
|
| | |
|
| |
|
|
| |
to look at its private headers either.
|
| |
|
|
|
|
|
| |
The X509_STORE_CTX struct is opaque in OpenSSL 1.1. To avoid reaching
inside it, reuse the trusted certificate store that was just assigned
to it and use X509_STORE_CTX_get0_param(3) to access the verification
parameters.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Previously the leaf certificate was only being set up on the X509_STORE_CTX
after two verification steps were performed, however at least one of those
steps could result in the verification callback being triggered and
existing code breaking.
Issue noticed by Raf Czlonka when attempting to connect to talk.google.com
using profanity (which does not set SNI and ends up receiving an invalid
certificate).
ok beck@ deraadt@ tb@
|
| |
|
|
|
|
|
|
| |
Currently dtls1_drain_fragments() has a incomplete handrolled version of
dtls1_hm_fragment_free(), which has the potential to leak memory. Replace
the handrolled free with a call to dtls1_hm_fragment_free().
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
Allocate into the appropriate structures and call dtls1_free() on failure,
rather than allocating into local variables and then remembering to free
various things on failure.
ok tb@
|
| |
|
|
|
|
|
|
|
|
| |
Rather than using local variables and having to remember which things need
to be freed upon a failure at a certain point, simply allocate into the
hm_fragment struct and call dtls1_hm_fragment_free() on failure.
Also use calloc() to ensure memory is appropriately zeroed/initialised.
ok tb@
|
| |
|
|
|
|
|
|
|
|
| |
An upcoming cleanup diff by jsing needs dtls1_clear_queues() to be
able to handle NULL pqueues. While one can easily add a NULL check
to pqueue_pop(), this does not really fit in with the rest of the
code. There are two kinds of while loops in dtls1_clear_queues that
drain pqueues, so add two helper functions with a NULL check each.
ok jsing
|
| | |
|
| | |
|
| |
|
|
| |
ok tb@
|
| | |
|
| | |
|
| |
|
|
|
| |
Use calloc() instead of malloc() and setting all members manually to 0.
Avoid unnecessary else branch.
|
| |
|
|
|
|
| |
a pointless local scope.
suggested by jsing
|
| |
|
|
|
|
|
|
| |
local scope of a case branch. Move it into the proper location.
No binary change on amd64.
"sure" jsing
|
| |
|
|
|
|
|
|
|
| |
There is no reason for print_error()'s third argument to be a UI *.
It may just as well be a void * to match what ERR_print_errors_cb()
expects. This avoids casting the function pointer. Also, there's no
need for a (void *) cast.
ok jsing
|
| |
|
|
|
|
| |
instead of the "decrypt_error" sent by tls13_server_finished_recv().
Both alerts appear to be reasonable in this context, so enable the tests
while working around this.
|
| | |
|
| |
|
|
|
|
|
| |
It is a bit silly to push an error on the stack without erroring out,
so error out if the ok_chars and cancel_chars overlap.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If any of general_allocate_{prompt,string,boolean}() fail, the
UI_dup_* functions may leak the strings they strduped beforehand.
Instead, use strdup inside these functions, so we can free as
necessary. This makes the UI_add_* and UI_dup_* simple wrappers
around general_allocate_{string,boolean}() that differ only in
passing a Boolean that indicates whether or not to use strdup.
Make a general cleanup pass over these functions, simplify the
logic and make it overall a bit easier to follow. While there,
use strcspn() instead of a handrolled variant.
The only changes in behavior are that ERR_R_MALLOC_FAILURE is now
pushed onto the stack a bit more often and that UI_dup_input_string()
now returns -1 on failure to dup prompt like all the other UI_dup_*
functions. This is not a problem since the manual already documents
that errors are signaled with <= 0. The only consumer of this function
according to Debian's codesearch is libp11, I sent them a PR to fix
their (already broken) error handling.
Addresses about 10 errors thrown by the LLVM static analyzer in ui/.
ok jsing
|
| |
|
|
|
|
|
| |
If sk_UI_STRING_new_null() fails, this must be due to a memory error,
so signal this to the user.
ok jsing
|
| |
|
|
| |
ok jsing
|
| | |
|
| |
|
|
| |
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
Provide a ssl3_release_buffer() function that correctly frees a buffer
and call it from the appropriate locations. While here also change
ssl3_release_{read,write}_buffer() to void since they cannot fail and
no callers check the return value currently.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Various software expects the previous behaviour where the certificate chain
is available on the X509_STORE_CTX when the verify callback is triggered.
Issue hit by bket@ with lastpass-cli which has built in certificate
pinning that is checked via the verify callback.
Fix confirmed by bket@.
ok beck@
|
| |
|
|
|
| |
because tb@ decided to not enable it before the release.
OK tb@
|
| |
|
|
| |
issue noticed by and patch OK by jsing@
|
| |
|
|
|
| |
because that is both shorter and more precise;
wording suggested by jsing@
|
| |
|
|
|
|
|
|
|
|
| |
2) Reorder the interop tests so the really slow "cert" test is at the end
3) Change the cert tests to use REGRESS_SLOW_TARGETS when testing combination
of client and server that does not involve libressl. This way we can
skip testing openssl to openssl11 when running these manually by
setting REGRESS_SKIP_SLOW to "yet" in mk.conf
ok jsing@
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Write documentation from scratch explaining why we don't support 0-RTT
but how we stub it out instead.
Tweaks and OK tb@.
... and beck@ pointed out that this OpenSSL API is akin to adding a
laser sighting system to a giant blackpowder cannon that one keeps
blowing one's own feet to mangled scraps with ...
|
